From dd07320891b8ec9bbe475aa3ef47d5cb93ca1e48 Mon Sep 17 00:00:00 2001 From: mchan9125 Date: Fri, 22 Oct 2021 15:35:06 -0700 Subject: [PATCH] initial commit of iam service role files --- .../README.md | 43 +++++++++++++++++++ .../iamrole.yaml | 33 ++++++++++++++ .../s3bucket.yaml | 11 +++++ 3 files changed, 87 insertions(+) create mode 100644 aws/cloudformation/iam_service_role_in_cloudformation/README.md create mode 100644 aws/cloudformation/iam_service_role_in_cloudformation/iamrole.yaml create mode 100644 aws/cloudformation/iam_service_role_in_cloudformation/s3bucket.yaml diff --git a/aws/cloudformation/iam_service_role_in_cloudformation/README.md b/aws/cloudformation/iam_service_role_in_cloudformation/README.md new file mode 100644 index 00000000..ec241e7b --- /dev/null +++ b/aws/cloudformation/iam_service_role_in_cloudformation/README.md @@ -0,0 +1,43 @@ +# CloudFormation: use of an IAM Role for CloudFormation Deployments + +This document describes how to create an IAM Service Role for CloudFormation, particularly for an S3 bucket. + +# Prerequisites + +1. Only user with admin permissions can create role/policy +2. The user using the IAMRole must have the following inline policies at a minimum: + 1. Service: IAM, Actions: Write:PassRole + 2. Service: CloudFormation, Actions: List:* , Read:* , Write: CreateChangeSet, CreateStack, ExecuteChangeSet, UpdateStack + +# Create Stacks in CLI + +## Create the IAMRole Stack in Cloudformation: + +`aws cloudformation create-stack --stack-name s3-stack-manager --template-body file://iamrole.yaml --capabilities CAPABILITY_NAMED_IAM` + +Note: when using an IAM Role cloudformation file, it must include the --capabilities command + +## Create the S3 Bucket Stack: + +Using the role made from the S3 Stack Manager, create the S3 bucket stack using the role arn: + +`aws cloudformation create-stack --stack-name [$STACK NAME] --role-arn [$ROLE ARN] --template-body file://s3bucket.yaml` + +An example with the S3StackManager Role arn: + +`aws cloudformation create-stack --stack-name s3-bucket-stack --role-arn arn:aws:iam::187376578462:role/S3StackManagerRole --template-body file://s3bucket.yaml` + + +# Delete the Stack in CLI: + +`aws cloudformation delete-stack --stack-name [$STACK NAME]` + +# Update the Stack in CLI: + +## Update the IAMRole Stack: + +`aws cloudformation update-stack --stack-name [$STACK NAME] --template-body file://iamrole.yaml CAPABILITY_NAMED_IAM` + +## Update the S3 Bucket Stack + +`aws cloudformation update-stack --stack-name [$STACK NAME] --role-arn [$ROLE ARN] --template-body file://s3bucket.yaml` diff --git a/aws/cloudformation/iam_service_role_in_cloudformation/iamrole.yaml b/aws/cloudformation/iam_service_role_in_cloudformation/iamrole.yaml new file mode 100644 index 00000000..72732833 --- /dev/null +++ b/aws/cloudformation/iam_service_role_in_cloudformation/iamrole.yaml @@ -0,0 +1,33 @@ +AWSTemplateFormatVersion: '2010-09-09' + +Description: Creates an IAM Role linked to an IAM Policy with AWS S3 full access. + +Resources: + + IAMRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: + - cloudformation.amazonaws.com + Action: + - 'sts:AssumeRole' + RoleName: S3StackManagerRole + + IAMPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: S3StackManagerPolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 's3:*' + Resource: '*' + Roles: + - !Ref IAMRole \ No newline at end of file diff --git a/aws/cloudformation/iam_service_role_in_cloudformation/s3bucket.yaml b/aws/cloudformation/iam_service_role_in_cloudformation/s3bucket.yaml new file mode 100644 index 00000000..dfbdf44b --- /dev/null +++ b/aws/cloudformation/iam_service_role_in_cloudformation/s3bucket.yaml @@ -0,0 +1,11 @@ +AWSTemplateFormatVersion: '2010-09-09' + +Description: Creates an S3 Bucket + +Resources: + + IAMRoleBucketExample: + Type: AWS::S3::Bucket + Properties: + BucketName: iamrolebucketexample + AccessControl: Private